A typical U2F user workflow is to have at least two keys, one for daily use, another as backup.
As of now it seems that we can only register one U2F key at a time.
It might be very useful to be able to register/manage/unregister multiple keys.
Many website supporting U2F provides this (google, facebook, github, gitlab,… )
I would add that there should not be an artificial limit on the number of U2F keys allowed. I’d like to be able to leave keys in all my PCs in different locations, plus a backup or two.
Currently, as we can only register 1 U2F key as a second factor authentification, if one was to lose that key, he would lose access to the service and all password.
This force users which want a backup plan to enable other second factor authenfication in case the main one - u2f is lost. However most other second factor reduce the security of the account. If a hardware token if the most secure form, having to enable a second method like email or authentificator app only server to weaken the overall security of the account because now you also need to protect your email account or computer/mobile running the authentificator app.
being able to register only u2f keys keep the security to the top and allow a backup plan in case the main key is lost.
Having 2 U2F keys is almost mandatory, (see google with their advance protection system).
Since you must make a choice between the risk of losing the key and losing access to all accounts, or having a weaker “backup” way of connection back to your account.
And by the way, thank you for the wonderful work !
That’s not entirely true actually. There is a two-step login recovery code for when you lose your U2F key (or any other second factor).
Still I would also appreciate it if it would be possible to add more than one U2F key. Yubico OTP is great but it looks like U2F will be the future at least in browser and mobile space.
This is a very important feature for me as I have several U2F keys, each of which I use regularly on multiple computers. Having to register one key as U2F and the rest as Yubico or TOTP is both inconvenient and insecure.
I’m switching my family and business to bitwarden partly to get away from OTP and use U2F more. I’d prefer we could use a second U2F device as a backup instead of going back to OTP options.
Laptops like the Pixelbook and Macbooks are starting to build-in U2F devices into the hardware. This will lead to everyone needing this in the coming years/months.
I signed up to the forum just to add my support to this request. I have a Yubikey U2F device that is always plugged into my laptop. I also use the U2F app on my Ledger Nano S, which is backed up via the device seed.
On most of my U2F accounts, I use the Yubikey device for everyday logins, then I have the Ledger device registered too, so I will always be able to recover my accounts even in dire circumstances where every device I own fails/is stolen (because the Ledger’s key is derived from the seed which i have stored safely).
Because you only allow registration of one device, I have to use the Ledger as my primary key with Bitwarden, which can be a bit of a pain. Multiple keys would be greatly appreciated!
I recently purchased two U2F Yubikeys for the purpose of password management.
I left Lastpass because they only support OTP Yubikeys. I migrated to Dashlane because they support U2F Yubikeys but then discovered they force you to enable a less secure authentication in case you lose your keys. So you could imagine my excitement after hearing that Bitwarden not only supported U2F but they also didn’t force less secure authentication as backup. I eagerly paid for premium membership only to be severely disappointed. As far as I’m concerned, offering U2F is fairly pointless if it’s restricted to a single key and announcing it as a feature was a big tease.
So just want to express my support for this feature. And please consider that there is likely a sudden surge of demand for this feature if my personal experience is anything to go by. The only reason I finally took the plunge with Yubikey is after all the recent media attention around Google, how it stopped their employees getting phished and the news of the upcoming Titan keys.